Tuesday, June 14, 2011

Automated Independent Gadget Search

Goal
The goal of this research is to be able to use return-oriented programming platform independently across multiple platforms.

Motivation
-CPU Architecture diversity is increasing.
-We want to execute code on machines despite the presence of non-executable memory, but we do not aim for ASLR.

History

Strategy
-Use only already present code
-No single instruction / return like approach
-Use REIL to be platform independent
-Use "free-branch" instructions rather than ret only
-"Find all first, then filter useful ones" approach
-Keep an eye on side-effects and minimize them

Algorithms stage III
Goal of the stage III algorithms:
-Search for useful gadgets in the merged data. Use a tree match handler for each operation.
-Select the simplest gadget for each operation. Use a complexity value to determine the gadget which is least complex (side-effects).

Results
-Algorithms for platform independent return-oriented programming are possible
-We are able to find all necessary gadgets for return-oriented programming using our tool
-Searching for gadgets is not only platform but also very compiler dependent
-Minimizing side-effects is possible if the right approach is chosen

Future work
-Abstract gadget description language
-Automatic gadget compiler for all platforms
-Bring more platforms to REIL
-Better understand the implications of different compilers